99

My bank went through a major redesign of their customer online banking system recently. The way security is managed across the platform was also reviewed. The password I am able to set now to log in is forced to be 6 digits long, numerical.

This goes a long way against what I thought to be a secure password policy. On the other hand, I trust my bank to know what they are doing.

Could you help me understand how good this policy is?

  • Compared to common practices in the sector.
  • From a more general IT security point of view.
  • As a customer: How much should I be worried that my account may be easy to compromise?

Notes:

  • The user is id card number, which is almost public data.
  • Someone entering my account is still not able to make a payment before it goes through another security mechanism (which we will assume to be good).
mika
  • 973
  • 1
  • 7
  • 9
  • Comments are not for extended discussion; this conversation has been [moved to chat](http://chat.stackexchange.com/rooms/40740/discussion-on-question-by-mika-is-a-6-digit-numerical-password-secure-enough-for). – Rory Alsop Jun 04 '16 at 22:27
  • lots of banks use 4-digit pin – phuclv Jun 05 '16 at 09:53
  • @LưuVĩnhPhúc But that PIN is usually only useful if you have the card it goes with, so it's not really a comparable situation. – David Richerby Jun 05 '16 at 20:41
  • I don't get why financial institutions usually have the worst (least secure) password requirements. Limiting your password length, requiring you only use numbers, etc. – Keavon Jun 06 '16 at 06:11
  • 1
    I'm not even concerned about how long this password is, but more for the fact *that there is only a password*. In Switzerland every single bank I ever dealt with had a strong form of 2FA in place... I thought this was an industry standard... – fgysin Jun 28 '16 at 12:22

13 Answers13

68

A 6 digit numerical password doesn't do much.

Why 6 Digits?

Troy Hunt has an excellent blog about being forced to create weak passwords where he talks about various bad practices including forcing short numerical passwords and puts forward the often used excuse that

“We want to allow people to use the same password on the telephone keypad”

The only valid reason to require a numerical only password is that the only input available to a user is numerical (e.g. with ATMs); (similarly the only valid reason to require a human readable password is that a human will read it - which would be a very bad sign if it was used not just for telephone banking, but for the website too).

But if that is the reason, why on earth would they force you to use the same insecure pass code online (or on mobile), when you have access to a full qwerty keyboard?

How easy to brute force the way in?

There are 106 possible passwords consisting of 6 digits.

For an unskilled attacker, getting into your account is no problem at all if they have your username and unlimited attempts. You should assume they have your username. Usernames are not secrets.

Let's maybe assume the bank has thought of this, and locks each account after 3 bad tries, or perhaps initiates a robot-limiting option like a captcha to try again after that. Then the attacker still has a 3/1000000 chance of getting in to a random account within that window.

That means if they attack 1000000 accounts, they can expect to get into 3. And making 3000000 requests would not take very long at all.

Compare that to how many passwords there are with 6 alphanumeric characters (by most security standards, far too short, and not complex enough).

There are 626 = 56800235584 possible 6 character alphnumeric passwords. That's still too weak but it's already 56800 times stronger!

Stored securely?

Needless to say, if the user database was breached, 106 possible passwords is ridiculously low entropy, and whatever hashing and salting system they've used, they can't keep your passcode secure.

Your bank's plan in the case of a database breach is presumably to roll over and cry. Maybe they think the outcome is so bad they just aren't going to plan for it.

Assuming the other authentication method is secure, should I worry?

An attacker seeing your finance history is a really big issue; you should be worried even if the other authentication method blocking transfers is secure. And you should not expect the other method to be secure.

How much other information is leaked about you without the 2nd authentication method? Your name, address, email, maybe?

These are more than enough to start doing background research on you, to get additional info - these could be clues to your other password, or good strong information on how to phish you. They might try calling you, using the information they have on you so far to gain your trust, pretending to be the bank, and trick you into revealing other secrets about yourself under a ruse that you need to authenticate to them by answering the last few questions they need in order to get into your account.

As another example, if the 2nd authentication method is a strong password, but you (and for most customers the "you" isn't tech savvy) but the customer happens to have ever been included in a database breach for another website where they used the same username/email and password, then its game over. - This logic applies to any username/password based system, but is particularly relevant in this case because the attacker is able to discover other information about you exposed by the first insecure authentication method, and because the 2nd password is now the only barrier to them taking your money - this is one reason why industry standard is to require a 2 factor authentication on banking websites before showing the user anything.

As for industry standards; my bank have an no max length password with the ability to take special characters, and then follow it up with a 2nd passcode which can only be entered by selecting some letters from a series of drop downs (so the entire 2nd passcode isn't used in a single attempt).

I'd prefer it if my bank used an out of band 2nd authentication factor; such as a code being sent to my phone.

perfectionist
  • 749
  • 4
  • 6
  • 4
    Disclaimer - not a security expert. Just a regular developer who reads a **lot** about security. Most of my opinions here are backed up by Troy Hunt's blog. – perfectionist May 31 '16 at 14:37
  • 1
    on storage if it's a bank it's very likely they're using an HSM for password storage. Unless they've made heinous mistakes in managing it, compromising the encrypted (yes encrypted not hashed) password wouldn't help you much, so that part of your answer isn't likely correct (or at least you lack sufficient information to reach the conclusion you have reached) – Rory McCune Jun 01 '16 at 14:28
  • Comments are not for extended discussion; this conversation has been [moved to chat](http://chat.stackexchange.com/rooms/40617/discussion-on-answer-by-perfectionist-is-a-6-digit-numerical-password-secure-eno). – Rory Alsop Jun 01 '16 at 15:50
  • 3
    > Your bank's plan in the case of a database breach is presumably to roll over and cry. Maybe they think the outcome is so bad they just aren't going to plan for it. **Finance (and banks) are all about risk management.** Banking is a strongly regulated industry (Internationally Basilea, SOX, national laws and regulations). Any bank with a childish risk management such as "roll over and cry" would not even be authorized to operate, much less survive any kind of auditing (and they suffer auditing all the time). – Mindwin Remember Monica Jun 01 '16 at 17:42
  • 3
    @Mindwin That's a nice confort thinking to have, but once you start working with any banking system, all bets are off. One of the biggest banks in Brazil has a super-strong, virtualized sandbox browser for clients to access their account. Partners of this bank receive a partial copy of the database in text files everyday. By e-mail. I had once to do a job for them as a developer, and after the fact I silently moved my account somewhere else. – T. Sar Jun 03 '16 at 16:30
  • 1
    @ThalesPereira your comment is malicious. First, **lack in ethics** because you should not doxx your clients. You don't say who is your client, but any 10 year old hacker can find it out (from only what you said above I can narrow it to two or three companies). Second, banking databases have several levels of security clearance. What dabasases are sent via email? Are they public or semi-public? Is the email attachment secure? Without knowing the circunstances, your comment becomes a smear campaign. A reader can get the wrong impression that the whole banking system of a g20 country is crap. – Mindwin Remember Monica Jun 03 '16 at 16:41
  • 1
    @Mindwin Honestly, I think you're seeing far more on my comment than it's worth. My country has over 120 _huge_ banks, so my comment is not that specific, anyway. Still, no. The attachements are not secure. They are just plain text files. It was _shameful_ for me to work with them. Anyway, keep in mind that I'm not saying that all banks are like that. – T. Sar Jun 03 '16 at 17:21
66

Unusual? Yes. Crazy? No. Read on to understand why...

I expect your bank has a strong lockout policy, for example, three incorrect login attempts locks the account for 24 hours. If that is the case, a 6-digit PIN is not as vulnerable as you might think. An attacker that tried three PINs every day for a whole year, would still only have about a 0.1% chance of guessing the PIN.

Most websites (Facebook, Gmail, etc.) use either email addresses or user-selected names as the user name, and these are readily guessable by attackers. Such sites tend to have a much more relaxed lockout policy, for example, three incorrect logins locks for account for 60 seconds. If they had a stronger lockout policy, hackers could cause all sorts of trouble by locking legitimate people out of their accounts. The need to keep accounts secure with a relaxed lockout policy is why they insist on strong passwords.

In the case of your bank, the user name is a 16-digit number - your card number. You do generally keep your card number private. Sure, you use it for card transactions (online and offline) and it is in your wallet in plaintext - but it is reasonably private. This allows the bank to have a stronger lockout policy without exposing users to denial of service attacks.

In practical terms, this arrangement is secure. If your house mate finds your card, they can't access your account because they don't know the PIN. If some hacker tries to bulk hack thousands of accounts, they can't because they don't know the card numbers. Most account compromises occur because of phishing or malware, and a 6-digit PIN is no more vulnerable to those attacks than a very long and complex password. I suspect that your bank has no more day-to-day security problems than other banks that use normal passwords.

You mention that transactions need multi-factor authentication. So the main risk of a compromised PIN is that someone could view your private banking details. They could see your salary, and your history of dodgy purchases. A few people have mentioned that a 6-digit PIN is trivially vulnerable to an offline brute force attack. So if someone stole the database, they could crack your hash, and get your PIN. While that is true, it doesn't greatly matter. If they cracked your PIN they could login and see your banking history - but not make transactions. But in that scenario they can see your banking history anyway - they've already stolen the database!

So while this arrangement is not typical, it appears that it is not so crazy after all. One benefit it may have is that people won't reuse the same password on other sites. I suspect they have done this for usability reasons - people complained that they couldn't remember the long, complex passwords that the site previously required.

paj28
  • 32,906
  • 8
  • 93
  • 130
  • 24
    An attacker with access to a list of usernames CAN expect on average to get into 3 accounts after trying to unlock 1000000 users. So what if your account personally only has a 3/1000000 chance of being unlocked on the first try? Surely you can't condone how easy it is for an attacker to simply unlock random accounts? – perfectionist May 31 '16 at 23:33
  • 12
    @perfectionist That is a strawman argument. Most competent banks likely have an IP-based lockout method that blocks non-distributed attacks on consecutive failed logins. A hacker with access to a thousand IPs, and fails 10 logins on each IP, only has a 1% chance of randomly accessing one account. Furthermore, the answer already clearly stated that the other factor (the username) is not known to potential attackers, so your scenario is not likely. – March Ho Jun 01 '16 at 04:56
  • 47
    @MarchHo A 1% chance under these conditions is **HUGE**. Anyone with a medium sized botnet (or access to a university campus IT system) is basically guaranteed to break into a few accounts over a short amount of time. I don't see how this is not obvious. – Thomas Jun 01 '16 at 06:02
  • 2
    I think you make a point - the strong lockout policy is where the major difference lies. Most explanations that detail password strength based on entropy assume that you have a chance to try many passwords. In this context, this cannot be done straight away... – mika Jun 01 '16 at 06:48
  • And just to clarify a detail: the username is my personal (national) ID card number, not my credit card number. It does not make a big difference, though. – mika Jun 01 '16 at 06:53
  • @mika Depending on what culture there is about keeping your ID card number secret in your country, I would say that might make a big difference. Almost all people know that your credit card number should be kept secret, is there the same culture around ID card numbers? – Anders Jun 01 '16 at 07:38
  • 2
    @Anders I am not aware that my ID card number may appear anywhere on the web. I do not consider it a secret, though. I have had the chance to see lists of other people's ID card numbers coming along with their names in results for public sector services, for example. – mika Jun 01 '16 at 08:09
  • @perfectionist - So how would someone get a list of 1000000 user names? – paj28 Jun 01 '16 at 09:17
  • @paj28 Government data breach? Data breach in any other organisation that also stores them? Aggregating publicly available sources? Question specifies them as "almost public data". – Anders Jun 01 '16 at 09:35
  • 14
    @paj28 If the security of your system depends on "almost public data" not being public, your system is not secure. – Anders Jun 01 '16 at 09:38
  • Credit card numbers/national id numbers/usernames/whatever won't be stored in a irreversible form in databases and thus could be explosed either through a weakness in the bank's website or through existing leaks. Don't assume that this information is unobtainable. – haze Jun 01 '16 at 13:02
  • 31
    I would have said the exact opposite "Unusual? No. Crazy: Yes." – CodesInChaos Jun 01 '16 at 16:40
  • 1
    This is a poor practice built on top of a poor threat model. perfectionist has a much better answer. – Fernando Jun 05 '16 at 03:03
  • @Fernando - Just saying "poor practice" doesn't mean much. Can you explain why you have that opinion? – paj28 Jun 05 '16 at 17:38
  • @paj28 please read the answer that perfectionist provided. His suggestion to read more on Troy Hunt's blog would also give you more information. The short version is that it introduces unnecessary risk and makes incorrect assumptions. For example - "An attacker that tried three PINs every day for a whole year, would still only have about a 0.1% chance of guessing the PIN." this is a substantial risk. Less so in the assume targeted threat model but very dangerous in the blanketed-attack model where multiple accounts are targeted. – Fernando Jun 06 '16 at 18:57
  • @Fernando - I read it before I posted. I agree this system does introduce risk, but my point is that it's low risk (perfectionist implies it's high risk). You mention a blanketed-attack, that relies on a data breach for the ID number, and doesn't permit fraud. While I guess that's a valid theoretical threat, it's not something happening in practice (at least, when I last was in banking) and there's no real motive for fraudsters to do it. – paj28 Jun 06 '16 at 19:24
  • There are two inputs here according to you (1) the user name is a 16-digit number - your card number. (2) the other is a 6-digit pin. Credit card numbers are trivially purchased and accessed in large quantities due to unfortunate amounts of card skimming. This means that there is a reasonable supply of (1). 6 digits is a trivially small passcode and if we multiply the risk of getting (1) and guessing (2) together you have a decent chance of breach. You can do some math to find some risk estimate but it seems significant to me. – Fernando Jun 07 '16 at 17:11
  • If you want a bank that ignores best practice by all means go ahead but I'll be avoiding them if @mika tells us who they are :D – Fernando Jun 07 '16 at 17:17
17

Original answer

This is a bad, bad policy. There are only 106 or a million different 6-digit numbers. That is so too little.

It is almost impossible to prevent an offline brute force attack, no matter how slow a hashing algorithm you use. If one attempt takes 1 second, you will crack a password in 11 days. It may also be too little to completely stop a clever online brute force attack, if the attacker can use multiple IPs (say, from controlling a botnet) and has many different card numbers to try on.

This is made worse by the fact that, just like with ordinary passwords, most people don't pick them at random. 123456 is bound to show up a lot, and so are numbers that represent dates. In practice, most passwords will have much less than 6×log2(10) ≈ 20 bits of entropy.

I can see no reasons why you should not be allowed to pick a stronger password. This practice sends the signal that they simply do not care about security. It also makes me suspect that somewhere in their database there is a NUMBER(6) instead of a hash stored.

That payments can't be done without another factor of authentication is a bit comforting, but not much. An attacker could still see your account history, something that could contain very sensitive information and also be used for phishing.

Even if this will probably never be used against you, if I were you, I would consider switching to a new bank. Preferably one that requires two-factor authentication at login.

Further comments

There has been some discussion in comments and some good answers with another view has popped up, so I would like to elaborate and respond to some critiques.

But the usernames are secret!

According to the question, the ID card numbers (not to be confused with credit card numbers) are "almost public", and OP has clarified in comments that he has seen lists of them as "results for public sector services". In other words, the usernames are not secret. And they should not have to be – if the security of your system rests on the fact that the usernames are secret, you are doing it wrong.

Rate limit per account and/or IP number will take care of this.

A distributed brute force attack, e.g., using a botnet, would have a decent chance to break a few accounts. Let's say you have 10 000 computers, and each computer tests 3 passwords per day during a month on different accounts. That is about 106 attempts. That will give you one account on average if the passwords are truly random. In the real world, you will get much, much more.

Sure, the bank could theoretically have some sophisticated system to detect and defend against attacks like this. Maybe, maybe not. As a customer, I have no way of knowing, and I certainly do not trust an organisation that can't even get the password policy right to do anything more advanced.

An offline attack is irrelevant. If the passwords are out, so are the sensitive data they are protecting.

Maybe, maybe not. There are plenty of data dumps floating around the Internet with incomplete data. To claim that the passwords will be forever glued to your account history makes some very strong assumptions on how the breach happened and how the data was handled afterwards.

Your credit card PIN is only four digits, so what does it matter anyway?

Your credit card PIN is one weak factor in a two-factor authentication. The other factor – possession of the card – makes the system stronger.

This password is a weak factor, and it is also the only factor protecting your financial information.

Conclusion

To be clear, I am not saying it would be impossible for a bank to make this system secure with other means. I am not saying a successful attack on anyone's account is likely, even less so on yours specifically. What I am saying is that this is not "secure enough" for a bank.

The bank has already gone through the trouble of setting up two-factor authentication for financial transfers. Why not just use it for logins as well?

The bank has (hopefully) already gone through the trouble of hashing a password and storing it in a database. Why not just remove the part of the code that limits the password to six digits?

Anders
  • 65,052
  • 24
  • 180
  • 218
  • 1
    Perhaps the bank stores data in plaintext and limits password length *to free up space on their HD*. I know it's ridiculous, but other possible explainations (sheer laziness, false sense of security, etc.) are at least as ridiculous, considering it is a banking website. – A. Darwin May 31 '16 at 13:47
  • 3
    @A.Darwin one other simple explanation is that they want the same password to be used via the ATM or similar input-constrained system. Scary, nonetheless. – Jeff Meden May 31 '16 at 14:07
  • There's no point considering an offline attack against a bank because bank card PINs can be even shorter and the security model implicitly assumes the database storing these credentials will not be dumped. After all, the bank is liable for any money loss unless they can prove the customer has been uncareful with his/her password. They will have weighted this against the cost related to the customer forgetting a complicated password before this decision is made. – billc.cn May 31 '16 at 15:02
  • @billc.cn If I were to guess the password for the webpage and the actual card PIN lives in completely separate systems, so one being stolen does not imply that the other one is. – Anders May 31 '16 at 15:15
  • 2
    @Anders Any bank would no doubt have spent a lot of effort and money to design, implement and maybe certify the PIN storage system. When online banking comes, no one in his right mind would design a completely different system. They would copy whatever they can and ensure both systems are equally secure. Any less will be negligence and the bank would not be able to defend itself if there's a breach of the online banking system. – billc.cn May 31 '16 at 15:35
  • @billc.cn That is an assumption I am not comfortable making, especially not for an organisation that does not let users pick strong passwords. Also, the security requirements for both systems are quite different. – Anders May 31 '16 at 15:38
  • 2
    Pin for cards are not as much of a risk, as someone needs to get my card AND pin, so just getting my pin is less bad then getting my username and password for internet banking. – Ian Ringrose May 31 '16 at 16:08
  • 5
    I like what you said about how "most people don't pick [passwords] at random". The fact that humans are choosing the 6 digits adds to the weakness of the passwords. The probability of guessing the correct password for an account will probably be greater than 1/10^6 when trying `000000` or other commonly used passwords. – WillS May 31 '16 at 23:48
  • Banks will quickly identify, and lockout suspicious activity. A hacker would get only a few attempts before the account is locked. After being locked it won't be unlocked until the user contracts the bank by phone. – user1751825 Jun 01 '16 at 08:41
  • 1
    @user1751825 This is all things you are asuming about this particular bank. Defending against a distributed attack on multiple accounts is not easy. – Anders Jun 01 '16 at 09:11
  • @Anders The other thing to consider though is what the hacker can actual do with an online banking account, once they've hacked in. Most online banking system only allow money to be either transferred between accounts, or sent to pre-approved recipients. Adding new recipients usually requires 2 factor authentication, using a mobile phone. – user1751825 Jun 02 '16 at 03:30
  • 1
    @user1751825 I adress that in my answer: "An attacker could still see your account history, something that could contain very sensitive information and also be used for phishing." – Anders Jun 02 '16 at 05:17
  • An account number is indeed not a secret, it's disclosed on every check you write. – tsturzl Jun 02 '16 at 14:22
8

Contrary Opinion: Beware

It is highly likely that you as the user have not been made aware of other security measures put in place by your bank in front of your PIN. I know that as for CapitalOne360, which has a similar 4 - 6 digit pin system, I was shocked! But after a while of using the PIN on the same computer, I finally needed to login on an alternate machine (different IP, different browser). When I had done this, it had actually asked me for a password. Not only this, but then after I had successfully entered the password it also requested my PIN as a bonus.

After some research, I discovered that the browser only asks for a password when the user first visits the website and receives some sort of authentication cookie. Once the user account is trusted on that machine's IP/Cookie combination, it then allows passwordless, PIN-only logon. But the first time the user logs in, they ARE required to enter a password. You may just be unaware of the practice (as I was).

I find it incredibly unlikely that a bank which already has a functional working password system would completely bin it for a 6-digit only, numerical PIN number. Companies may perhaps seem stupid, but considering that a 6-digit authentication breaks common sense, as well as PCI standards, I sincerely doubt this is the only authentication present. Perhaps the original poster can shed additional light on this in case I missed something.

duper51
  • 233
  • 1
  • 5
  • This is pretty interesting. I shall investigate further... – mika Jun 01 '16 at 06:37
  • +1; other security measures like checking which device you have logged in from may make it more secure, yes. – perfectionist Jun 01 '16 at 09:12
  • A determined attacker could still break into your account without your knowledge, however. They'd just need to watch you enter your pin, then do it themselves on the same network you were on once you leave. Sounds tedious and unlikely, but consider that the attacker's motivation is the contents of your bank account. Assuming you have at least $5000, an attacker only needs to break into 9 more accounts in a similar fashion and they have a comfortable amount of money to live on. Finding targets is as simple as following people out of the bank building. – haze Jun 01 '16 at 13:10
6

Is a 6 digit numerical password secure enough for online banking?

No, it is not, not just because of ability of a malicious user to break such an authentication mechanism, but because it violates PCI-DSS compliance standards and the FFIEC guidance on authentication. In addition, multi-factor authentication has been required by FFIEC guidance since 2006.

I'm pretty sure you are missing something in your examination of your web site-- i.e. there may be additional factors of authentication that only kick in under certain circumstances, e.g. if you change your device or IP address. Either that, or you're not actually writing about a real online banking web site, but some third party financial assistance site (which I would probably stop using if I were you).

sanmai
  • 414
  • 3
  • 10
John Wu
  • 9,181
  • 1
  • 29
  • 39
  • 8
    To clarify for non US users, I would [edit] your answer to say US law instead of just law. Just a little pet peeve of mine. – Anders Jun 01 '16 at 07:34
5

I'm going to take a contrarian stance, and say yes, it's secure enough, for a bank.

  1. Banks usually have lots of money to recover from breaches
  2. Banks usually have lots of influence with the government, and can avoid class-action lawsuits (I'm from Canada, and we have only a few, large banks)
  3. Banks have lots of customers, and fewer support calls = more money in their pockets
  4. Banks usually run on old mainframes, which are expensive to update
  5. Banks usually have fraud detection software analyzing all transactions

So, it's not a question of absolute security, it's a question of whether this password policy is profit-maximizing. In most Western countries, the directors of the bank are legally required to maximize profit for the shareholders.

From a customer perspective:

I don't recommend trying to brute-force your own password, but if you did, you'll (hopefully) notice an account lockout after 3-5 attempts. This reduces the effectiveness of brute-force attacks.

With my bank, I am asked security questions if I login from a computer I have not logged in with before. So a hacker, on a different computer, would have to guess the password, and know the answer to the security question.

If you're a consumer, your government hopefully provides consumer protection resulting in a return of your money if there's fraud.

Neil McGuigan
  • 3,399
  • 1
  • 17
  • 21
  • 2
    Not saying you are wrong, but you could also view the question from the perspective of the customer. Does it maximize my expected utility to use a bank that doesn't care about the privacy of my financial data? – Anders May 31 '16 at 19:32
  • 2
    @Anders exactly right. Question specifically asks about implications for customer. This answer doesn't address that – Neil Smithline May 31 '16 at 19:41
  • @Anders: As far as my bank is concerned, I don't worry about the privacy of my financial data, I worry about my money. – gnasher729 May 31 '16 at 19:46
  • 4
    The bit about "maximizing profit for shareholders" is pure nonsense, _especially_ for banks. There are some non-specific guidelines for acting in the interest of shareholders, but (A) outside of the USA this generally covers all stakholders, (B) this is secondary to obeying the laws, (C) ignores that continuity of business is also a shareholder interest, and most importantly, (D) there are many specific laws for banking that specifically require banks to act in their customers interest. Especially the EU has extensive consumer protection laws. – MSalters Jun 01 '16 at 14:05
4

Compared to common practices in the sector, your conditions are not that unusual. My bank has similar policies, with two notable differences:

  • the username is NOT my card number. I have received it by mail in a protected envelope, similar to one they used to send my PIN. It's not a real secret though, it can be found on some of the statements as well.

  • my password is numerical with 6 digits MINIMUM (up to 10 digits I believe). But I use a 6-digit pin nevertheless.

My online banking account also gets locked after 3 failed login attempts, so I'm pretty confident it won't get brute-forced. I suppose your bank has the same policy; you may want to read your contract or verify to be sure. I have never been denied the access to my account except that one time I forgot one of the digits and tried to brute-force it.

Dmitry Grigoryev
  • 10,122
  • 1
  • 26
  • 56
3

It seems like weak security, but in reality a brute force hack is not feasible for online banking.

Banks use very robust fraud detection systems, and very rigorous monitoring. Account lockout typically requires a phone call to re-activate, unlike many other online systems which simply use a time-based lockout.

They will also almost certainly be using anti-forgery tokens in the login form, so you cannot simply fire post requests at the end-point and expect them to work. Realistically you would be limited to browser automation hacking, which will slow things down considerably, and require a lot more complex programming to setup. Many online banking sites also use randomly generated keypads, so your automation script would need to be able to do OCR to recognize which keys to press.

So, in practice, the short pin length isn't quite the glaring security failure that others are suggesting.

Brute force typically is not how online accounts are compromised anyway. Phishing and social engineering are the preferred methods, and pin length/complexity will not help prevent this.

user1751825
  • 915
  • 4
  • 10
2

If as you pointed in notes:

Someone entering my account is still not able to make a payment before it goes through another security mechanism (which we will assume to be good).

Then it is likely that the only thing the 6-digit password protects is the account balance and history.

For comparison: my Japanese bank sends me my account history printed, in a regular mail. My mail box is unprotected and anyone can retrieve the letter.

So a 6-digit password (possibly with a retry limit and timeout) seems like an improvement.

techraf
  • 9,149
  • 11
  • 44
  • 62
  • 1
    When I've needed to speak to someone at my (UK) bank or credit card company, I'm often asked for the amount and payee of some recent transactions as part of the security measures, alongside other information such as full address and date of birth. So access to transaction history could help an attacker do a 'privilege escalation' so they could then e.g. make a transfer or 'confirm' a fraudulent transaction. (I always have to log in to the relevant website to look up this info myself, as my memory is hopeless.) – nekomatic Jun 01 '16 at 15:46
  • 1
    To steal your mail, an attacker needs to be physically present at your mailbox. An attacker can attempt to remotely access your account from anywhere on Earth. – David Conrad Jun 01 '16 at 18:33
  • @DavidConrad So what? That affects the perceived level of creepiness, but has no influence on security. – techraf Jun 01 '16 at 22:31
  • 1
    Increasing the number of potential attackers increases the probability of an attack. – David Conrad Jun 01 '16 at 23:29
  • So what? The question was how does (given the conditions) 6-digit password "compare to common practices"? I answered by giving a comparison to my bank's established practice. Does your comment add anything to this? Does it criticise? Or is it just non-relevant? – techraf Jun 01 '16 at 23:32
  • @DavidConrad Part of the fraud detection is based on location of remote access. If I've always accessed my bank from Australia, and suddenly I'm making transactions from China it will trigger alarms, and my account will almost certainly be locked. – user1751825 Jun 02 '16 at 03:49
  • Fair enough, then. – David Conrad Jun 02 '16 at 09:00
1

it is not secure enough from global point of view. Think to have system trying to log to 100000 accounts, using one password number. Why many banks rely on it, is above my undertstanding. Even viewing your account (without ability to withdraw any money) can actually make harm (address, ballance,...).

Another problem is that even locking your account can be kind of social engineering. It should not be possible to lock somebody elses account by typing 3/5 wrong passwords. It is not used much as such, but can do lot of harm or inconvenience. Think about somebody locking one else's account on purpose, then calling him "on bank behalf" for physhing reasons. Or just to anoy him (online revenge Etc.)

FKh
  • 11
  • 2
1

In the big picture it may actually be more secure.

When we computer people talk about security we talk about bit of entropy, hash algorithms, brute force attempts and the like. It's easy to forget one simple, unavoidable rule. People are stupid! All of that goes out the window when a user writes down their password, pin number, and security question/answer on a piece of paper, wraps that paper around their ATM card, and shoves the whole thing in their wallet. (Or puts their password on a yellow sticky note under the monitor.)

Using a single 6 digit password, in conjunction with multi-factor authentication, and a strong lockout policy is probably a lot better "in the big picture", then several more complex passwords.

Lets take an example:

Old Way:

A user sets up their account, then has to chose a card pin. They are told to use a number they can remember. Most people choose a date or combination of dates, or 1234.

The user is then asked to set a "security question and answer" for when they call in. They choose something like "What elementary school did you go to in 5th grade?"

The user is then asked to set a secure password on the website, but hates these things because they can never really remember a secure password so they set "sunsname123@" and the teller writes it down for them and the user shoves it in their wallet.

This is pretty standard practice. Pin numbers can be figured out by only needing to check a subset of the numbers that might be a valid date, in a few combinations. The security question is pointless, as it's public knowledge, and the password meets all the technical requirements or a "secure password" but isn't.

New Way:

A user sets up their account, and is asked to choose a 6 digit everything pin. They still choose one based on a date.

The user is then helped with, of given, or told to install a multi-factor authenticator (lets pretend a key fob for now).

Now no matter the transaction, be it ATM or in branch or over the phone, you can instruct the bank staff, and the customer, to provide/receive the PIN and the MFA code.

In the real world this probably presents less risk then the less security inclined people calling in once a week because they forgot their password, providing the public knowledge answer to their security question, resetting their password and writing it down AGAIN and sticking it in their wallets.

coteyr
  • 1,546
  • 9
  • 12
1

Almost, but not quite

It is "secure enough" in the sense that at first sight, it is highly unlikely (near impossible) that someone gets into your account at all and can access data such as e.g. your account balance, and insofar as it is even less likely (due to two-factor auth) that they will be able to make a transaction.

It is not secure enough insofar as it is trivially possible to feed random account numbers with random PINs (the exact format of the account number including check digits is publicly known information, this greatly limits the search space). Note how random-random is just what is the precondition for the birthday paradoxon, so luck is on the attacker's side.

Unless the bank blocks by IP address when triggering lockout (unlikely, but even so you can trivially run the attack from a botnet), their strong lockout policy is worth exactly nothing against this attack. You can test literally ten thousands of account/PIN combinations per second.

Yes, it is unfeasible to target you personally, and it is still kinda tedious to target someone, but targetting someone is not practically impossible, it is entirely doable without even breaking into the server and stealing the account database or such.

Now, if you consider the possibility of someone reading out your account balance and personal data and knowing your income as something you can live with (you don't have anything to hide, do you!), this is nevertheless a worrysome thing.

Not only do they now know who you are and where you live (and whether it's worth burgling your home or kidnapping your child), but also it is entirely possible given only the valid account holder's name and first name as well as the account number to direct debit you.
Sure enough, you can dispute the transaction -- if you get aware of it within 4 weeks. But if it escapes your attention, it's just bad luck for you. In either case, it's a lot of trouble.

Damon
  • 5,211
  • 1
  • 20
  • 26
0

Yes its fine, but only if its part of multi-factor authentication* and includes a system of side-channel verification on user actions**.

All less secure solutions are in my opinion not adequate in a modern internet bank and does not address infected computers, MIBs etc.

*For example that you have to vouch for the computer you are using, through your mobile phone.

**Such as each payment action are sent with a code to your mobile phone that also includes details on the payment action you are accepting.

Simply G.
  • 518
  • 3
  • 12